I have noticed that the implementation of `mkstemps` in libiberty will
silently accept a negative `suffix_len`. A negative `suffix_len` is
always incorrect, and in this case it may allow for out-of-bounds access:
int
mkstemps (char *pattern, int suffix_len)
{
[...]
size_t len;
int count;
len = strlen (pattern);
if ((int) len < 6 + suffix_len
|| strncmp (&pattern[len - 6 - suffix_len], "XXXXXX", 6))
{
return -1;
}
XXXXXX = &pattern[len - 6 - suffix_len];
Is the omission of this check intentional? If so, what's the reason?
glibc's implementation checks it.
Something else that seems to be missing: according to the man page, when
the above check fails, errno should be set to `EINVAL`. Again, that's
what glibc does. Is not setting it intentional as well?
If any or both of the above cases are bugs, I will submit a patch.
Tomás
